IBM Security QRadar

 View Only
Expand all | Collapse all

Installing/integrating Qradar on Linux based systems (server) which resides in AWS environment

  • 1.  Installing/integrating Qradar on Linux based systems (server) which resides in AWS environment

    Posted Wed October 07, 2020 02:04 AM
    Hi All,

    We have a requirement in our organization where we need to integrate Linux based server which resides in AWS environment.

    I understood from previous posts about how to configure Linux OS for syslog to forward events to Qradar however when I added the log source it shows Not available (after deploying changes).

    What concerns me is the fact that this Linux server resides in AWS environment so what log source type should and protocol type I be using and what are prerequisites for successful integration  I mean connectivity or anything.

    We are using on premise data gateway-Event collector (so device sends logs to this event collector and this EC further forwards it to Qradar)

    Any advise and guide.


    Regards
    Asif Siddiqui


    ------------------------------
    Asif Siddiqui Senior Security Analyst
    ------------------------------


  • 2.  RE: Installing/integrating Qradar on Linux based systems (server) which resides in AWS environment

    Posted Thu October 08, 2020 10:47 AM
    Hi Asif,

    If you had an Event Collector deployed in your AWS environment you could send the Linux events directly to that EC via syslog  as the DSM guide recommends. But if your ECs are in your on-prem data centre and the AWS environment has no network line-of-sight to them, then direct syslog forwarding is not an option. We have protocols for collecting from AWS S3 storage (the "Amazon AWS S3 REST API" protocol) or from the CloudWatch Logs service or Kinesis Data Streams service ("Amazon Web Services" protocol). The usage of both protocols are in the DSM Guide. If you can get your AWS-based Linux machines logging to one of these AWS services, then using thes eprotocols you can obtain the events that way.

    Cheers
    Colin

    ------------------------------
    COLIN HAY
    IBM Security
    ------------------------------